Beruflich Dokumente
Kultur Dokumente
Abstract: This paper proposes a new fuzzy logic approach to perform analysis and detection intrusion in 802.11
wireless networks. The algorithm consists of five steps: First, construct the networks and generate many cases of daily
traffic and intrusion. In the same time, catch different values of system and network parameters and associate to them a
potential degree of severity alarm. Second, generate fuzzy rules from numerical data using Mendel Wang method.
Third, implement a new rule base on each computer and start system; then adjust it to catch parameters cyclically and
compute severity alarm. If it detects intrusion, then it will send a message to every network node. Fourth, in case of
errors or no system response would start learning mechanism by injection of numerical values and generate fuzzy rules.
-1-
SETIT2007
-2-
SETIT2007
way, gains intelligence by monitoring the management console. Their starter kit provides five
transmissions for patterns of communication. A sensors and can guard up to ten access points (APs).
considerable amount of information is AirDefense detects intruders and attacks and also
contained in the flow of messages between diagnoses potential vulnerabilities in the network like
communicating parties. misconfigurations [Y.X.Lim & al. 12].
-3-
SETIT2007
5.3. Composition Step 1: divide the input and output spaces of the given
In this step, which is also called aggregation of numerical data into fuzzy regions.
rules, all fuzzy sets assigned to the conclusion part of
the rules after inference, is combined to form only one Step 2: generate fuzzy rules from the given data; first
fuzzy subset. A new membership function is then determine the degrees of given data in different
created. In general we use Sum or Max function. regions. Second assign it to the region with maximum
degree. Finally obtain one rule from one pair of
5.4. Defuzzification desired input / output data.
Sometimes it is possible to examine just fuzzy set
of output variables which are the result of the Step 3: assign a degree of truth to each of the
composition process. Often these fuzzy values need to generated rules for the purpose of resolving conflicts
be converted into a singular number. This is the reason among the generated rules.
of the defuzzification process. Several methods of
defuzzification exist. The center of gravity and the Step 4: create a combined fuzzy rule base based on
Max methods are the two most prevalent techniques. both the generated rules and linguistic rules of human
In the first, output variables are calculated by the experts.
research of gravity center of the membership function
of the fuzzy value. In the second method, one of the Step 5: determine a mapping from input space to
variables in which the fuzzy subset is in its maximum output space based on the combined fuzzy rule base
value of truth, is selected. using a deffuzification procedure.
-4-
SETIT2007
- PN : Process number
- OctRecN : Received octet number
- OctSentN : Sent octet number
- PktRecN : Received packet number
- PktSentN : Sent packet number
- BW : Band width
7.6. Learning
In the case where the system can’t respond or
gives wrong results, we can take a learning process.
This consists of catching values of each parameter.
Assign to them a severity degree of alarm. Start a
generating fuzzy rules algorithm and implementing
this rule in data base. The result of this operation must
be injected in each wireless intrusion detector.
Figure 3: OctRecN member ship function
8. Application results
7.3. Traffic generation
Twice of the obtained rules from initial
For traffic generation, different cases are retained numerical data are:
considered. Five scenario tests are realized. It consists • if PN is Low and OctRecN is Low and
of different cases of use. Results depend on daily OctSentN is Low and BW is Low and
traffic network and the nature of application. This step PktRecN is Low and PktSentN is Low then
must be treated in each network before starting the SA is Low
system in each node. In our case we consider a
• if PN is Medium high and OctRecN is
network with six nodes. Traffic generation
Medium Low and OctSentN is High and BW
corresponds to research unit flow. One of these
is Medium and PktRecN is Medium and
scenarios consists of:
PktSentN is Medium then SA is High
- starting six PCs in network
Where SA is the severity alarm
- starting many applications (Matlab, oracle,
jbuilder, …) in different nodes
Figure 5 and 6 presents the evolution of parameter
- starting downloads operations
PN and PktSentN. Through it, we can distinguish
- starting active intrusion
different scenarios of network works: low and high
- catching different values and assigning to
traffic.
them a high severity alarm (In this case 5)
-5-
SETIT2007
9. Conclusion
This work is one of many different first steps for
wireless network intrusion detection.
-6-
SETIT2007
-7-